Common Weakness Enumeration

CWE-24

Allowed

Path Traversal: '../filedir'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

187 vulnerabilities reference this CWE, most recent first.

GHSA-6M8G-7XRR-8Q5F

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33
VLAI
Details

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T15:16:34Z",
    "severity": "CRITICAL"
  },
  "details": "Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.",
  "id": "GHSA-6m8g-7xrr-8q5f",
  "modified": "2026-05-27T15:33:28Z",
  "published": "2026-05-27T15:33:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webmin/webmin/compare/2.630...2.640"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6V3V-M4WM-CHJF

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.",
  "id": "GHSA-6v3v-m4wm-chjf",
  "modified": "2022-07-07T00:00:29Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1743"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-764P-G9XX-6QM8

Vulnerability from github – Published: 2025-04-20 03:50 – Updated: 2025-04-20 03:50
VLAI
Details

In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-20T03:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.",
  "id": "GHSA-764p-g9xx-6qm8",
  "modified": "2025-04-20T03:50:41Z",
  "published": "2025-04-20T03:50:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43928"
    },
    {
      "type": "WEB",
      "url": "https://cfp.eh22.easterhegg.eu/eh22/talk/9UDXSE"
    },
    {
      "type": "WEB",
      "url": "https://mint-secure.de/path-traversal-vulnerability-in-surveillance-software"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77RV-VMXX-P9GP

Vulnerability from github – Published: 2025-08-05 00:30 – Updated: 2025-08-05 00:30
VLAI
Details

LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-04T23:15:28Z",
    "severity": "LOW"
  },
  "details": "LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.",
  "id": "GHSA-77rv-vmxx-p9gp",
  "modified": "2025-08-05T00:30:26Z",
  "published": "2025-08-05T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46094"
    },
    {
      "type": "WEB",
      "url": "https://docs.liquidfiles.com/release_notes/version_4-1-x.html"
    },
    {
      "type": "WEB",
      "url": "https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78J5-8VQ7-JXV5

Vulnerability from github – Published: 2025-09-04 15:30 – Updated: 2025-09-05 15:33
VLAI
Summary
Memos Vulnerable to Path Traversal via the CreateResource Endpoint
Details

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-56760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T15:33:36Z",
    "nvd_published_at": "2025-09-03T17:15:34Z",
    "severity": "MODERATE"
  },
  "details": "When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.",
  "id": "GHSA-78j5-8vq7-jxv5",
  "modified": "2025-09-05T15:33:36Z",
  "published": "2025-09-04T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56760"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48"
    },
    {
      "type": "WEB",
      "url": "https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memos Vulnerable to Path Traversal via the CreateResource Endpoint"
}

GHSA-7RF6-522Q-9WQ4

Vulnerability from github – Published: 2022-12-27 09:30 – Updated: 2023-01-06 06:30
VLAI
Details

A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-27T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.",
  "id": "GHSA-7rf6-522q-9wq4",
  "modified": "2023-01-06T06:30:25Z",
  "published": "2022-12-27T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.216863"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-824X-88XG-CWRV

Vulnerability from github – Published: 2026-01-05 20:02 – Updated: 2026-01-08 20:07
VLAI
Summary
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
Details

Summary

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. image image

Details

The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.

Vulnerable code: - redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR'] - redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path

This allows disclosure of sensitive files such as: - redaxo/data/core/config.yml → database credentials + password hashes of all backend users - .env, custom configuration files, logs, uploaded malicious files, etc.

Affected versions

≤ 5.20.1 (confirmed working)

Patched versions

None (as of 2025-12-09)

PoC – Extracting database credentials and password hashes

  1. Log in as any user with Backup permission
  2. Go to Backup → Export → Files

image

  1. Intercept the request with Burp Suite

image

  1. Change one EXPDIR[] value to ../../../../var/www/html/redaxo/data/core

image

  1. Send request → download archive image

  2. Extract and open data/core/config.yml image

Result: plaintext database password image

Impact

Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE

CVSS 4.0 vector & score below.

Credits

Discovered by: Łukasz Rybak

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.20.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "redaxo/source"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.20.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T20:02:58Z",
    "nvd_published_at": "2026-01-07T23:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAuthenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon\u0027s file export functionality.\n\u003cimg width=\"664\" height=\"899\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5\" /\u003e\n\u003cimg width=\"2358\" height=\"445\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb\" /\u003e\n\n\n### Details\nThe Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories.  \nAn attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive.\n\nVulnerable code:\n- `redaxo/src/addons/backup/pages/export.php` (lines 72-76) \u2013 directly uses `$_POST[\u0027EXPDIR\u0027]`\n- `redaxo/src/addons/backup/lib/backup.php` (lines ~413 \u0026 ~427) \u2013 concatenates unsanitized user input with base path\n\nThis allows disclosure of sensitive files such as:\n- `redaxo/data/core/config.yml` \u2192 database credentials + password hashes of all backend users\n- `.env`, custom configuration files, logs, uploaded malicious files, etc.\n\n### Affected versions\n\u2264 5.20.1 (confirmed working)\n\n### Patched versions\nNone (as of 2025-12-09)\n\n### PoC \u2013 Extracting database credentials and password hashes\n1. Log in as any user with Backup permission\n2. Go to Backup \u2192 Export \u2192 Files\n\n\u003cimg width=\"1240\" height=\"960\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a\" /\u003e\n\n3. Intercept the request with Burp Suite \n\n\u003cimg width=\"2184\" height=\"478\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718\" /\u003e\n\n4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core`\n\n\u003cimg width=\"978\" height=\"591\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124\" /\u003e\n\n5. Send request \u2192 download archive\n\u003cimg width=\"423\" height=\"131\" alt=\"image\" src=\"https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2\" /\u003e\n\n6. Extract and open `data/core/config.yml`\n\u003cimg width=\"859\" height=\"281\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042\" /\u003e\n\nResult: plaintext database password \n\u003cimg width=\"2534\" height=\"1198\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10\" /\u003e\n\n### Impact\nFull compromise of the REDAXO installation:\n- Database takeover\n- Password hash extraction \u2192 offline cracking \u2192 admin access\n- When combined with other vulnerabilities \u2192 RCE\n\nCVSS 4.0 vector \u0026 score below.\n\n### Credits\nDiscovered by: \u0141ukasz Rybak",
  "id": "GHSA-824x-88xg-cwrv",
  "modified": "2026-01-08T20:07:42Z",
  "published": "2026-01-05T20:02:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21857"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/redaxo/redaxo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/releases/tag/5.20.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read"
}

GHSA-84PC-MJPF-2CMC

Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2023-12-21 21:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4. Affected by this issue is some unknown functionality of the file /file-manager/rename.php. The manipulation of the argument newName leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248690 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4. Affected by this issue is some unknown functionality of the file /file-manager/rename.php. The manipulation of the argument newName leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248690 is the identifier assigned to this vulnerability.",
  "id": "GHSA-84pc-mjpf-2cmc",
  "modified": "2023-12-21T21:30:31Z",
  "published": "2023-12-21T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/g1an123/POC/blob/main/Unauthorized%20file%20overwrite.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.248690"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.248690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8FRC-4G87-V5H6

Vulnerability from github – Published: 2024-01-11 09:30 – Updated: 2026-04-08 21:32
VLAI
Details

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T07:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The WP Compress \u2013 Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.",
  "id": "GHSA-8frc-4g87-v5h6",
  "modified": "2026-04-08T21:32:09Z",
  "published": "2024-01-11T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6699"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3009183%40wp-compress-image-optimizer%2Ftrunk\u0026old=2994665%40wp-compress-image-optimizer%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HX5-P84Q-7QHG

Vulnerability from github – Published: 2023-06-14 09:30 – Updated: 2023-06-14 09:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in OTCMS up to 6.62. Affected is an unknown function of the file admin/readDeal.php?mudi=readQrCode. The manipulation of the argument img leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-231510 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-14T09:15:09Z",
    "severity": "LOW"
  },
  "details": "A vulnerability, which was classified as problematic, was found in OTCMS up to 6.62. Affected is an unknown function of the file admin/readDeal.php?mudi=readQrCode. The manipulation of the argument img leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. VDB-231510 is the identifier assigned to this vulnerability.",
  "id": "GHSA-8hx5-p84q-7qhg",
  "modified": "2023-06-14T09:30:42Z",
  "published": "2023-06-14T09:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3239"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HuBenLab/HuBenVulList/blob/main/OTCMS%20was%20discovered%20obtain%20the%20web%20directory%20path%20and%20other%20information%20leaked%20.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.231510"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.231510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.